Server-Assisted Generation of a Strong Secret from a Password

Size: px

Start display at page:

Download "Server-Assisted Generation of a Strong Secret from a Password"

Clement Briggs
8 years ago
Views:

1 Server-Assisted Generation of a Strong Secret from a Password Warwick Ford, VeriSign, Inc. (Joint research with Burt Kaliski, RSA Laboratories)

2 Requirement! User who roams between client terminals needs to obtain private key or data strongly authenticate to application servers! No local stored state! No smartcards! Private data downloaded from online credentials server

3 Traditional Credentials Server Solution User presents password Private Data Delivery Protocol Credentials Server Credentials Repository Throttling/lockout function! Surveyed in Perlman & Kaufman, NDSS 99 Examples EKE, SPEKE! Protocol exposes no information about private data! Throttling/lockout: Limits password guessing Makes friendly passwords possible Based on failed password authentications

Surveyed in Perlman & Kaufman, NDSS 99 Examples EKE, SPEKE!

4 Weakness in Traditional Design! If server compromised, attacker can potentially: Attack credentials database, e.g., password verifiers by exhaustive attack (even if passwords not determinable directly) Disable throttling/lockout and exhaustively attack with password guesses! Vulnerable to password attack! Password exposure means private data exposure! Many users may be compromised in one attack

, password verifiers by exhaustive attack (even if passwords not determinable directly) Disable

5 Solution - Multiple Servers User presents password Private Data Delivery Protocol Private Data Delivery Protocol Throttling/lockout function Credentials Server Credentials Server Credentials Repository Credentials Repository Throttling/lockout function! Objective: Compromise of one server exposes neither private data nor password! Not as easy as it looks Ordinary secret-sharing not adequate if servers have to verify passwords

Credentials Repository Throttling/lockout function!

6 Basic Approach! Client generates strong master secret K via interaction with two or more servers! Client proves successful regeneration of K to all servers! K can unlock encrypted private data or facilitate authentication to other servers! No server can learn K or password

7 In More Detail! Pre-knowledge User knows password P Each server S i holds its own secret d i for that user Each S i also holds its own strong verifier K i for K! Client generates strong master secret K For each S i, client computes strong secret R i via a password hardening transaction depending on P and d i subject to throttling/lockout Combines all the R i to give K! Client proves successful regeneration of K to servers For each server S i generates strong verifier K i from K Demonstrates knowledge of K i to server S i! K can unlock encrypted private data or facilitate authentication to other servers

Client generates strong master secret K For each S i, client computes strong secret R i via a password hardening transaction depending on P and d i

8 Secret-Strengthening Protocol User U Shared strong prime p = 2q + 1 Server S 1 Password P entered w = f(p) Generate random k U, r U, d 1 s 1 s 1 = r d 1 mod p r = w k mod p R 1 = s 1 1/k mod p = w d 1 mod p! Properties: R 1 is a strong secret Observer cannot feasibly learn R 1,d 1 or P Server cannot feasibly learn R 1 [or P?] Same R 1 always generated for same P

9 Do It with Two Servers User U Password P entered w = f(p) Generate random k U, r s 1 Server S 1 s 1 = r d1 mod p U, d 1 r = w k mod p R 1 = s 1 1/k mod p = w d 1 mod p R 2 = s 2 1/k mod p = w d 2 mod p K = KDF (R 1, R 2 ) U, r Server S 2 s 2 = r d2 mod p s 2 U, d 2! Properties: K is a strong secret Observer cannot feasibly learn K or P Neither server can feasibly learn K or P Same K always generated for same P Both servers need to cooperate for K to be generated

10 Now Prove It was Successful User U Pre-establish K 1 = OWF(K, 1) K 2 = OWF(K, 2) Server S 1 Generate n 1 K 1 = OWF(K, 1) n 1 OWF (K 1,n 1 ) Verify OWF (K 1,n 1 ) U, K 1 K 2 = OWF(K, 2) n 2 Server S 2! Properties: OWF (K 2,n 2 ) Generate n 2 Verify OWF (K 2,n 2 ) Each server gets proof that client knows K Server s knowledge of K i does not feasibly assist determining K (or password) U, K 2

11 Some Variants! Other secret-strengthening protocols ECC variant is obvious RSA-based also exists! Other verification methods K decrypts a private digital signature key; signed nonce proves regeneration to server holding public key! Use threshold functions in combining hardened passwords! Use other functions of master secret to authenticate to other (application) servers

Other verification methods K decrypts a private digital signature key; signed nonce proves

12 A Special Case Variant! Client interacts with password hardening server S 1 to obtain R 1! Client uses T 1 derived from R 1 to authenticate to a second server S 2! S 2 confidentially delivers to client: secret K encrypted under T 2 derived from R 1! Client decrypts K! Client verifies to S 1 by proving regeneration of K

Client uses T 1 derived from R 1 to authenticate to a second server S 2!

13 Special Case Variant - Protocol User U Password P entered w = f(p) Generate random k r = w k mod p R 1 = s 1/k 1 mod p T 1 = OWF(R 1, 1) T 2 = OWF(R 1, 2) K = D T2 (E T2 (K)) Server S 1 s 1 = r d1 mod p U, r U, d 1 T 1 s 1 Server S 2 E T2 (K) U, T 1, E T2 (K) Secure channel! Properties: Then prove knowledge of K to S 1 Attractive when S 2 already exists (e.g., SSL or SPEKE server) Adding one password hardening server S 1 provides the requisite added strength

Server S 2 E T2 (K) U, T 1, E T2 (K) Secure channel!

14 The Fundamental Characteristics! Must recover a master secret using more than one independent server all of which contribute to recovering the secret all of which employ throttling/lockout! At least one secret-contributing server must use secret-strengthening! Must prove successful regeneration of a strong secret to at least two verification servers

contribute to recovering the secret all of which employ throttling/lockout!

15 Non-Repudiation Ramifications! Single server design is weak wrt nonrepudiation user can plausibly claim that insider/penetrator at the server recovered the private key and signed! The multi-server design significantly improves non-repudiation it is much harder to mount a plausible argument that independently controlled servers colluded! But, claims of non-repudiability still rest on confidence that the client terminal is secure there is no silver bullet for this concern

16 Summary of the Technology! Traditional credentials server architecture is vulnerable to server compromise and exhaustive password guessing against stored password-derived values Server vulnerability raises security concerns and kills non-repudiation! Need multiple independent servers contributing to secret regeneration Each must independently throttle/lockout! Need password hardening as a basis of establishing strong secret from weak secret

guessing against stored password-derived values Server vulnerability raises security concerns and kills

17 Deployment Status!Current-shipping VeriSign enterprise PKI offering includes the option: Two-server secret-strengthening technology to support protection of private key plus arbitrary user data Servers may be operated by Enterprise and/or VeriSign!Alternative packagings (e.g., for SSO, Aggregation) in development

Two-server secret-strengthening technology to support protection of private

18 For More Information! See Ford/Kaliski WETICE 2000 paper at: Contact details: Warwick Ford, VeriSign, Inc. Tel: (781) x225

verisign.com/repository/pubs/roaming.pdf!

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department